Google has removed six apps infected with Sharkbot, the bank stealer malware, from its app store, reports said. The apps had been downloaded 15,000 times before their removal.
All six apps were designed to pose as antivirus solutions and to select targets using a geofencing feature. The apps stole users’ login credentials for websites and services. The infected applications were used to target users in Italy and the UK, the reports suggest.
Check Point Research said in a blog post that the six Android applications pretending to be antivirus apps on the Google Play store were marked as “droppers” for Sharkbot. The malware is an Android Stealer used to infect devices and steal login credentials and payment details. Once a dropper application is installed, it is used to download a malicious payload and infect a device — evading detection.
| Twitter rolls out ALT badge and improved image descriptions: What it means, how to use, and more
The Sharkbot malware used by the six apps also used a ‘geofencing’ feature to target victims in specific regions. According to the Check Point Research team, the Sharkbot malware has been designed to identify and ignore users from India, China, Romania, Ukraine, Russia, and Belarus. The malware is capable of detecting when it is being run in a sandbox and immediately shuts down to prevent analysis.
The six applications were identified from three developer accounts — Adelmio Pagnotto, Zbynek Adamcik, and Bingo Like Inc. The team cited statistics from AppBrain, which revealed the 15,000 downloads.
Four of these apps were discovered in February and reported to Google in March. The applications were removed on March 9, Check Point Research said. Two more dropper apps were discovered on March 15 and March 22 — both were removed on March 27.
| Fortnite-maker Epic Games joins forces with Lego, to build metaverse for children
Check Point Research said users could ensure safety from malware masquerading as software by installing applications only from verified publishers. Users can also report seemingly suspicious behaviour to Google.